Reputation: 3225
Here is how I initialize MessageDigest
private static MessageDigest messageDigest;
public static final String SALT_DO_NOT_CHANGE = "somesalt";
static {
try {
messageDigest = MessageDigest.getInstance("SHA-512");
messageDigest.update(SALT_DO_NOT_CHANGE.getBytes());
} catch (NoSuchAlgorithmException e) {
LOGGER.error("error for message digest", e);
throw new RuntimeException("could not initialize message digest");
}
}
And here is how digest to get bytes for password which I later convert to string (no issue there)
byte[] bytes = messageDigest.digest(password.getBytes(StandardCharsets.UTF_8));
Now assume the password is "Password@1".
Here is the output first time (apologies for long text below)
115,83,48,-2,41,29,-99,71,-54,-53,-26,-67,-118,48,-75,77,13,100,42,70,-72,110,-85,23,-38,119,-110,-15,121,3,-25,114,-68,109,-108,94,-122,65,-62,10,-90,8,-125,114,-118,51,-51,89,127,55,37,83,-126,56,-31,-27,-49,-60,25,74,-80,-110,23,45
And here is output second time onwards. It remains same after this.
-62,-50,45,-44,91,-86,16,90,85,53,101,-122,51,12,-82,52,-123,-101,-10,-28,-108,114,120,-96,84,-23,38,-75,78,67,36,-93,-88,-11,79,76,126,-34,-2,109,76,-31,-30,-86,-28,13,-91,-22,-65,-128,108,-47,15,19,95,60,-30,-123,-4,20,-64,21,-1,7
Can some one please help me understand what is happening here?
Upvotes: 1
Views: 571
Reputation: 39010
The static
block is only run once, when the class is loaded (or more exactly, initialized, but in practice that happens at load). Thus if you have a method that does messageDigest.digest(password)
on the first call it computes the digest of the bytes of somesaltPassword@1
which is your first value, and leaves the messageDigest
object reset; any subsequent call computes the digest of the bytes of Password@1
which is your second value, and again leaves it reset.
BTW the entire purpose and reason for using salt is that it does change, plus doing a single fast hash of a password (even with salt) is not secure unless it's a very high-entropy password (more than a human can remember), but those are offtopic for SO; search security.SX and/or crypto.SX where these have been answered and discussed many times.
Upvotes: 1